This invention relates to a computer security system which protects the computer software from unauthorized access and protects the computer hardware from unauthorized intrusion or unauthorized removal. In a particular, it pertains to a security system for the "personal" computers now in wide use.
Since their introduction only a few years ago, the number of personal computers in use in corporations and financial institutions has risen dramatically. Many firms have thousands of these computers throughout their organization. In contrast with the high security traditionally afforded computer equipment and data in the past, personal computers are not generally located in high security areas or operated by a relatively small number of highly trained and highly trusted personnel. Personal computers are often left on desks where anyone a operating system boot diskette can access any of the data stored within the computer with the potential for theft of proprietary information and/or the tampering with it. In addition, the location of such computers in unsecured areas and its relatively small physical size leads to theft of the equipment itself. This theft may either be of the entire computer or of valuable parts which are easily concealed so that they may taken past the security guard.
Present security measures have been little more than superficial. Passwords and user identification numbers that are entered via the keyboard are vulnerable to "hackers" and employee laxity in maintaining password secrecy. Because the input is via the keyboard, any person can attempt to guess a user's password by trying different character sequences at random. In addition, users in groups sharing machines often find it convenient to tell others their password in order to facilitate the second individual's access to some function which was intended by management to be available only to the first individual.
The access control programs in general use to not restrict authorized users from gaining access to the operating system from which they can thwart the intended security controls. The signon and menu programs which require the entry of the password before proceeding to load the user's program selection, must be initiated by the user or by the automatic computer start-up procedure. In the former case, the user has access to all of the operating system functions prior to initiating the program requiring the input of the password In the latter case, the signon-menu program can be exited to gain access to the operating system by causing an abnormal program exit such as depressing the control/break keys on many computer systems. Once access to the operating system is obtained, the user can run his programs without the security program in place or possibly change the security program.
Many of the user programs which authorized users of the system may legitimately execute are designed without regard to the control over access to the operating system and provide exits to the operating system themselves. This, too can provide the user access to the operating system and thus the ability to bypass the security program.
It is also possible for a user to insert a diskette into the disk drive found in most computer systems which will enable him to gain access to the operating system and bypass the security functions.
Physical security of the computer system is often provided by wire cable padlocked to the computer and the desk it sits on. However, this presents little deterrent to a professional thief who can easily cut the cables or pick the locks. In addition, if a master key is used for all of the locks to make it easy for authorized personnel to move or repair the equipment, lax handling of this master key can render the use of padlocks and cables worthless. The computer system itself does not have any means to alert security personnel that a theft is in progress, thus allowing the thief to procede without interruption. Furthermore, the cables and locks make it cumbersome for authorized users to move or repair the equipment or make changes in the installed hardware options.